如何获取/生成AWS Quicksight安全仪表板URL [英] How to get/generate aws quicksight secure dashboard url

问题描述

我想将Quicksight仪表板嵌入到应用程序中。我浏览了AWS Quicksight文档，但没有找到安全的签名仪表板URL。

I want to embed Quicksight dashboard to an application. I have gone through the AWS quicksight documents, I did not get where I will find secure signed dashboard url.

推荐答案

生成Quicksight安全仪表板URL，请按照以下步骤操作：

In order to generate Quicksight secure dashboard url, follow the below steps:

步骤1：。创建一个新的身份池。转到 https://console.aws.amazon.com/cognito / home？region = us-east-1 ，单击创建新的身份池

Step 1: Create a new Identity Pool. Go to https://console.aws.amazon.com/cognito/home?region=us-east-1 , click ‘Create new Identity Pool’

输入适当的名称。
转到身份验证提供程序部分，选择 Cognito。。
给出用户池ID（您的用户池ID）和App Client ID（转到到用户池中的App Client并复制ID）。
点击创建池 。然后单击允许 在IAM中创建身份池的角色。

Give an appropriate name. Go to the Authentication Providers section, select Cognito. Give the User Pool ID(your User pool ID) and App Client ID (go to App Clients in userpool and copy id). Click ‘Create Pool’. Then click ‘Allow’ to create roles of the identity pool in IAM.

步骤2：分配自定义策略身份池角色

Step 2: Assign Custom policy to the Identity Pool Role

使用以下JSON创建自定义策略。

Create a custom policy with the below JSON.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "quicksight:RegisterUser",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "quicksight:GetDashboardEmbedUrl",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

注意：：如果要限制用户仅使用一个仪表板，请在中将*替换为 dashboard ARN >速查：GetDash boardEmbedUrl ，

Note: if you want to restrict the user to only one dashboard, replace the * with the dashboard ARN name in quicksight:GetDashboardEmbedUrl,

然后转到IAM中的角色。
选择身份池的IAM角色，然后为该角色分配自定义策略。

then goto the roles in IAM. select the IAM role of the Identity pool and assign custom policy to the role.

步骤3：用于生成临时文件的配置IAM（STS）用户

Step 3: Configuration for generating the temporary IAM(STS) user

使用用户凭据登录到您的应用程序。
为了创建临时IAM用户，我们使用Cognito凭据。
用户登录时，Cognito会生成3个令牌ID- IDToken，AccessToken，RefreshToken 。这些令牌将发送到您的应用程序服务器。

Login to your application with the user credentials. For creating temporary IAM user, we use Cognito credentials. When user logs in, Cognito generates 3 token IDs - IDToken, AccessToken, RefreshToken. These tokens will be sent to your application server.

对于创建临时IAM用户，我们使用Cognito访问令牌，凭据如下所示。

For creating a temporary IAM user, we use Cognito Access Token and credentials will look like below.

 AWS.config.region = 'us-east-1';
       AWS.config.credentials = new AWS.CognitoIdentityCredentials({
           IdentityPoolId:"Identity pool ID",
           Logins: {
               'cognito-idp.us-east-1.amazonaws.com/UserPoolID': AccessToken
           }
       });

为了生成临时IAM凭据，我们使用以下参数调用sts.assume角色方法。

For generating temporary IAM credentials, we call sts.assume role method with the below parameters.

var params = {
           RoleArn: "Cognito Identity role arn",
           RoleSessionName: "Session name"
       };
sts.assumeRole(params, function (err, data) {
           if (err) console.log( err, err.stack); // an error occurred
           else {
               console.log(data);
})

您可以添加其他参数，例如duration （以秒为单位）。
现在，我们将获得临时用户的 AccessKeyId，SecretAccessKey 和会话令牌。

You can add additional parameters like duration (in seconds) for the user. Now, we will get the AccessKeyId, SecretAccessKey and Session Token of the temporary user.

步骤4：在Quicksight中注册用户

Step 4: Register the User in Quicksight

借助步骤3 中使用的相同Cognito凭据，我们将通过使用具有以下参数的 quicksight.registerUser 方法在速查中注册用户

With the help of same Cognito credentials used in the Step 3, we will register the user in quicksight by using the quicksight.registerUser method with the below parameters

var params = {
                   AwsAccountId: "account id",
                   Email: 'email',
                   IdentityType: 'IAM' ,
                   Namespace: 'default',
                   UserRole: ADMIN | AUTHOR | READER | RESTRICTED_AUTHOR | RESTRICTED_READER,
                   IamArn: 'Cognito Identity role arn',
                   SessionName: 'session name given in the assume role creation',
               };

quicksight.registerUser(params, function (err, data1) {
                   if (err) console.log("err register user"); // an error occurred
                   else {
                       // console.log("Register User1");
                   }
               })

现在，将在快速查看中注册用户。

Now the user will be registered in quicksight.

步骤5：使用新凭据更新AWS配置。

Step5: Update AWS configuration with New credentials.

下面的代码显示如何使用生成的新凭证配置AWS.config（）步骤3 。

Below code shows how to configure the AWS.config() with new credentials generated Step 3.

AWS.config.update({

                   accessKeyId: AccessToken,
                   secretAccessKey: SecretAccessKey ,
                   sessionToken: SessionToken, 
                   "region": Region
                 });

步骤6：生成仪表板的EmbedURL：

Step6: Generate the EmbedURL for Dashboards:

使用在步骤3 中生成的凭据，我们将使用以下参数调用 quicksight.getDashboardEmbedUrl

By using the credentials generated in Step 3, we will call the quicksight.getDashboardEmbedUrl with the below parameters

var params = {
  AwsAccountId: "account ID",
  DashboardId: "dashboard Id",
  IdentityType: "IAM",
  ResetDisabled: true,
  SessionLifetimeInMinutes: between 15 to 600 minutes,
  UndoRedoDisabled: True | False
}

quicksight.getDashboardEmbedUrl(params,
  function (err, data) {
    if (!err) {
      console.log(data);
    } else {
      console.log(err);
    }
  });

现在，我们将获得仪表板的嵌入网址。

Now, we will get the embed url for the dashboard.

借助上述生成的URL，从前端调用 QuickSightEmbedding.embedDashboard 。
结果将是带有过滤器控件的应用程序中嵌入的仪表板。

Call the QuickSightEmbedding.embedDashboard from front end with the help of the above generated url. The result will be the dashboard embedded in your application with filter controls.

这篇关于如何获取/生成AWS Quicksight安全仪表板URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！